1. Home
  2. Matrices
  3. Enterprise
  4. Linux

Linux Matrix

Below are the tactics and techniques representing the MITRE ATT&CK® Linux platform. The techniques below are known to target hosts running Linux operating systems. The Matrix contains information for the Linux platform.

View on the ATT&CK® Navigator
Version Permalink
Initial Access Execution Persistence Privilege Escalation Stealth Defense Impairment Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
10 techniques 11 techniques 17 techniques 11 techniques 19 techniques 8 techniques 15 techniques 26 techniques 8 techniques 14 techniques 18 techniques 8 techniques 15 techniques
Content Injection
Drive-by Compromise
Exploit Public-Facing Application
External Remote Services
Hardware Additions
Phishing (4)
=
Supply Chain Compromise (3)
=
Trusted Relationship
Valid Accounts (3)
=
Wi-Fi Networks
Command and Scripting Interpreter (5)
=
Exploitation for Client Execution
Hijack Execution Flow (2)
=
Input Injection
Inter-Process Communication
Native API
Scheduled Task/Job (3)
=
Shared Modules
Software Deployment Tools
System Services (1)
=
User Execution (4)
=
Account Manipulation (2)
=
Boot or Logon Autostart Execution (2)
=
Boot or Logon Initialization Scripts (1)
=
Compromise Host Software Binary
Create Account (2)
=
Create or Modify System Process (1)
=
Event Triggered Execution (5)
=
Exclusive Control
External Remote Services
Modify Authentication Process (2)
=
Power Settings
Pre-OS Boot (2)
=
Scheduled Task/Job (3)
=
Server Software Component (3)
=
Software Extensions (2)
=
Traffic Signaling (2)
=
Valid Accounts (3)
=
Abuse Elevation Control Mechanism (2)
=
Account Manipulation (2)
=
Boot or Logon Autostart Execution (2)
=
Boot or Logon Initialization Scripts (1)
=
Create or Modify System Process (1)
=
Escape to Host
Event Triggered Execution (5)
=
Exploitation for Privilege Escalation
Process Injection (3)
=
Scheduled Task/Job (3)
=
Valid Accounts (3)
=
Debugger Evasion
Delay Execution
Deobfuscate/Decode Files or Information
Execution Guardrails (2)
=
Exploitation for Stealth
Hide Artifacts (11)
=
Hijack Execution Flow (2)
=
Indicator Removal (7)
=
Masquerading (10)
=
Obfuscated Files or Information (16)
=
Pre-OS Boot (2)
=
Process Injection (3)
=
Reflective Code Loading
Rootkit
Social Engineering (2)
=
System Binary Proxy Execution (1)
=
Traffic Signaling (2)
=
Valid Accounts (3)
=
Virtualization/Sandbox Evasion (3)
=
Disable or Modify System Firewall
Disable or Modify Tools (3)
=
Downgrade Attack
Exploitation for Defense Impairment
File and Directory Permissions Modification (1)
=
Modify Authentication Process (2)
=
Prevent Command History Logging
Subvert Trust Controls (1)
=
Adversary-in-the-Middle (2)
=
Brute Force (4)
=
Credentials from Password Stores (3)
=
Exploitation for Credential Access
Forge Web Credentials (1)
=
Input Capture (4)
=
Modify Authentication Process (2)
=
Multi-Factor Authentication Interception
Multi-Factor Authentication Request Generation
Network Sniffing
OS Credential Dumping (3)
=
Steal or Forge Authentication Certificates
Steal or Forge Kerberos Tickets (1)
=
Steal Web Session Cookie
Unsecured Credentials (3)
=
Account Discovery (2)
=
Application Window Discovery
Browser Information Discovery
Debugger Evasion
Device Driver Discovery
File and Directory Discovery
Local Storage Discovery
Log Enumeration
Network Service Discovery
Network Share Discovery
Network Sniffing
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Discovery (2)
=
Process Discovery
Remote System Discovery
Software Discovery (2)
=
System Information Discovery
System Location Discovery (1)
=
System Network Configuration Discovery (2)
=
System Network Connections Discovery
System Owner/User Discovery
System Service Discovery
System Time Discovery
Virtual Machine Discovery
Virtualization/Sandbox Evasion (3)
=
Exploitation of Remote Services
Internal Spearphishing
Lateral Tool Transfer
Remote Service Session Hijacking (1)
=
Remote Services (2)
=
Software Deployment Tools
Taint Shared Content
Use Alternate Authentication Material
Adversary-in-the-Middle (2)
=
Archive Collected Data (3)
=
Audio Capture
Automated Collection
Clipboard Data
Data from Information Repositories (1)
=
Data from Local System
Data from Network Shared Drive
Data from Removable Media
Data Staged (2)
=
Email Collection (1)
=
Input Capture (4)
=
Screen Capture
Video Capture
Application Layer Protocol (5)
=
Communication Through Removable Media
Content Injection
Data Encoding (2)
=
Data Obfuscation (3)
=
Dynamic Resolution (3)
=
Encrypted Channel (2)
=
Fallback Channels
Hide Infrastructure
Ingress Tool Transfer
Multi-Stage Channels
Non-Application Layer Protocol
Non-Standard Port
Protocol Tunneling
Proxy (4)
=
Remote Access Tools (3)
=
Traffic Signaling (2)
=
Web Service (3)
=
Automated Exfiltration
Data Transfer Size Limits
Exfiltration Over Alternative Protocol (3)
=
Exfiltration Over C2 Channel
Exfiltration Over Other Network Medium (1)
=
Exfiltration Over Physical Medium (1)
=
Exfiltration Over Web Service (4)
=
Scheduled Transfer
Account Access Removal
Data Destruction
Data Encrypted for Impact
Data Manipulation (3)
=
Defacement (2)
=
Disk Wipe (2)
=
Email Bombing
Endpoint Denial of Service (4)
=
Financial Theft
Firmware Corruption
Inhibit System Recovery
Network Denial of Service (2)
=
Resource Hijacking (2)
=
Service Stop
System Shutdown/Reboot
Initial Access Execution Persistence Privilege Escalation Stealth Defense Impairment Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
10 techniques 11 techniques 17 techniques 11 techniques 19 techniques 8 techniques 15 techniques 26 techniques 8 techniques 14 techniques 18 techniques 8 techniques 15 techniques
Content Injection
Drive-by Compromise
Exploit Public-Facing Application
External Remote Services
Hardware Additions
=
Phishing (4)
=
Supply Chain Compromise (3)
Trusted Relationship
=
Valid Accounts (3)
Wi-Fi Networks
=
Command and Scripting Interpreter (5)
Exploitation for Client Execution
=
Hijack Execution Flow (2)
Input Injection
Inter-Process Communication
Native API
=
Scheduled Task/Job (3)
Shared Modules
Software Deployment Tools
=
System Services (1)
=
User Execution (4)
=
Account Manipulation (2)
=
Boot or Logon Autostart Execution (2)
=
Boot or Logon Initialization Scripts (1)
Compromise Host Software Binary
=
Create Account (2)
=
Create or Modify System Process (1)
=
Event Triggered Execution (5)
Exclusive Control
External Remote Services
=
Modify Authentication Process (2)
Power Settings
=
Pre-OS Boot (2)
=
Scheduled Task/Job (3)
=
Server Software Component (3)
=
Software Extensions (2)
=
Traffic Signaling (2)
=
Valid Accounts (3)
=
Abuse Elevation Control Mechanism (2)
=
Account Manipulation (2)
=
Boot or Logon Autostart Execution (2)
=
Boot or Logon Initialization Scripts (1)
=
Create or Modify System Process (1)
Escape to Host
=
Event Triggered Execution (5)
Exploitation for Privilege Escalation
=
Process Injection (3)
=
Scheduled Task/Job (3)
=
Valid Accounts (3)
Debugger Evasion
Delay Execution
Deobfuscate/Decode Files or Information
=
Execution Guardrails (2)
Exploitation for Stealth
=
Hide Artifacts (11)
=
Hijack Execution Flow (2)
=
Indicator Removal (7)
=
Masquerading (10)
=
Obfuscated Files or Information (16)
=
Pre-OS Boot (2)
=
Process Injection (3)
Reflective Code Loading
Rootkit
=
Social Engineering (2)
=
System Binary Proxy Execution (1)
=
Traffic Signaling (2)
=
Valid Accounts (3)
=
Virtualization/Sandbox Evasion (3)
Disable or Modify System Firewall
=
Disable or Modify Tools (3)
Downgrade Attack
Exploitation for Defense Impairment
=
File and Directory Permissions Modification (1)
=
Modify Authentication Process (2)
Prevent Command History Logging
=
Subvert Trust Controls (1)
=
Adversary-in-the-Middle (2)
=
Brute Force (4)
=
Credentials from Password Stores (3)
Exploitation for Credential Access
=
Forge Web Credentials (1)
=
Input Capture (4)
=
Modify Authentication Process (2)
Multi-Factor Authentication Interception
Multi-Factor Authentication Request Generation
Network Sniffing
=
OS Credential Dumping (3)
Steal or Forge Authentication Certificates
=
Steal or Forge Kerberos Tickets (1)
Steal Web Session Cookie
=
Unsecured Credentials (3)
=
Account Discovery (2)
Application Window Discovery
Browser Information Discovery
Debugger Evasion
Device Driver Discovery
File and Directory Discovery
Local Storage Discovery
Log Enumeration
Network Service Discovery
Network Share Discovery
Network Sniffing
Password Policy Discovery
Peripheral Device Discovery
=
Permission Groups Discovery (2)
Process Discovery
Remote System Discovery
=
Software Discovery (2)
System Information Discovery
=
System Location Discovery (1)
=
System Network Configuration Discovery (2)
System Network Connections Discovery
System Owner/User Discovery
System Service Discovery
System Time Discovery
Virtual Machine Discovery
=
Virtualization/Sandbox Evasion (3)
Exploitation of Remote Services
Internal Spearphishing
Lateral Tool Transfer
=
Remote Service Session Hijacking (1)
=
Remote Services (2)
Software Deployment Tools
Taint Shared Content
Use Alternate Authentication Material
=
Adversary-in-the-Middle (2)
=
Archive Collected Data (3)
Audio Capture
Automated Collection
Clipboard Data
=
Data from Information Repositories (1)
Data from Local System
Data from Network Shared Drive
Data from Removable Media
=
Data Staged (2)
=
Email Collection (1)
=
Input Capture (4)
Screen Capture
Video Capture
=
Application Layer Protocol (5)
Communication Through Removable Media
Content Injection
=
Data Encoding (2)
=
Data Obfuscation (3)
=
Dynamic Resolution (3)
=
Encrypted Channel (2)
Fallback Channels
Hide Infrastructure
Ingress Tool Transfer
Multi-Stage Channels
Non-Application Layer Protocol
Non-Standard Port
Protocol Tunneling
=
Proxy (4)
=
Remote Access Tools (3)
=
Traffic Signaling (2)
=
Web Service (3)
Automated Exfiltration
Data Transfer Size Limits
=
Exfiltration Over Alternative Protocol (3)
Exfiltration Over C2 Channel
=
Exfiltration Over Other Network Medium (1)
=
Exfiltration Over Physical Medium (1)
=
Exfiltration Over Web Service (4)
Scheduled Transfer
Account Access Removal
Data Destruction
Data Encrypted for Impact
=
Data Manipulation (3)
=
Defacement (2)
=
Disk Wipe (2)
Email Bombing
=
Endpoint Denial of Service (4)
Financial Theft
Firmware Corruption
Inhibit System Recovery
=
Network Denial of Service (2)
=
Resource Hijacking (2)
Service Stop
System Shutdown/Reboot